User login

WIn32.TDSS

As a malware researcher I just got my hand on one of the latest TDSS Malware.

The malware uses protection against an execution on a virtual machine by using the SIDT query technique, in case a VMware environment is detected, the malware simply terminates and removes itself from the machine. For this analysis I used solely real machine to perform the analysis. The malware prevent itself from being executed several times using name event, it is pretty convenient as a signaling synchronization as well.

from the above we can conclude that the malware hooks to the google tools bar uses the omaha-client-server update 2 which is google protocol of updating their products. the reason for this is to update the remote server and to check for any new updates, secondly its alter the user search responds from google and redirect to its affiliates "partnerka's" as we saw above.
its also send the victim operating system details which includes OS version and service Pack.

Local System Modifications.
wiaservg.log
%System%\wbem\grpconv.exe
%Windir%\Temp\wpv801271783310.exe